iSpy: The CIA's Nearly Decade Old Operation to Hack iPhones

Federal researchers within the the United States Central Intelligence Agency (CIA) have targeting and tried to steal the security keys associated with encrypting data stored on Apple devices with the intent to break the system since their initial release back in 2006, dawning almost a decade ago.

Newly leaked top-secret government documents from the NSA whistleblower, Edward Snowden, reveal CIA researchers attempted to crack encryption keys implanted within Apple’s mobile processor, alongside the CIA developed their own dummy version of Xcode to emulate and aid infection scenarios.

The agency had an aggressively-fueled determination to break into Apple devices, starting with their own build of Xcode. For those who don’t know, Xcode is Apple’s application development platform, used by a a majority of developers to develop apps for iPhone, iPads and Mac computers.

If the development software was compromised, CIA, NSA and various other three letter agencies would be able to inject a backdoor surveillance tool into programs distributed via Apple’s App Store. The objective was to develop apps within the poisoned version of Xcode, then have apps install remote backdoors allowing access to the phones core.

In the custom version of Xcode the CIA built, the software could be abused to spy on users, steal passwords, steal personal information, intercept communications and disable the core security features on the Apple device. The research even went as far as to try and impersonate developers by embedding an app developers private keys into every app.

Recent revelations from top-secret documents revealed that security researches work was present at their 2012 annual gathering called, “Jamboree”, a secret CIA sponsored event which has been ongoing for nearly a decade at a Lockheed Martin facility in northern Virginia. The first “Jamboree” meeting came a year before Apple released their new iPhone technology, the first introduction to the iOS mobile operating system.

The conference was sponsored by the CIA’s Information Operation Center, a subdivision within the CIA which conducts covert cyberattacks. Top-secret National Security Agency (NSA) documents revealed the aim of the conference, according to a 2012 internal NSA wiki, was to host “presentations that provide important information to developers trying to circumvent or exploit new security capabilities,” as well as to “exploit new avenues of attack.” NSA personnel were allowed to attend the conference through an NSA counterpart to the CIA’s Trusted Computing Base, according to the internal documents.

The research and abuse of Apple devices is consistent with a much broader secret U.S. government program, one aimed to analyze “secure communications products, both foreign and domestic” with intent to “develop exploitation capabilities against the authentication and encryption schemes,” according to the 2013 “Black Budget.” The top-secret budget allocated to the U.S. intelligence community, which was documented at $52.6 billion in 2012 alone.

In 2013, according to the classified budget, U.S. intelligence agencies were working to create new capabilities against dozens of commercially produced security products, including technology made by American companies, in order to seek out vulnerabilities. Allocating the budget to attack commercial technology could help uncover vulnerabilities at a faster rate.

A joint task force consisting of operatives from the NSA and Britain’s Government Communications Headquarters, formed in 2010, developed surveillance tools targeting iPhones, Android devices and Nokia’s Symbian handsets. The Mobile Handset Exploitation Team successfully implemented malware on iPhones as part of WARRIOR PRIDE, a framework set by the GCHQ for secretly accessing private communications on mobile devices.

The program, disclosed last year in a previous round of leaked Snowden documents also cited a WARRIOR PRIDE plugin called NOSEY SMURF, which allowed spies to remotely active the devices microphone. The agency had an arsenal of SMURF plugins, another plugin known as DREAMY SMURF, allowed the agencies to manage the power system on a phone to avoid detection. Another, PARANOID SMURF, was designed to conceal the malware implanted on the phone in several different ways. TRACKER SMURF was build for ultra-precision geolocating of the device, a technology that is vital to agents gathering pinpoint locations of where the device has been.

For any of the SMURF malware to be implanted in the iOS device, it had to be done one of two ways, either agents would need to hack the device or sneak a backdoor into an app the user has installed on the phone, giving spies direct access to the handset.

Alongside that, security experts pointed out that the SMURF capabilities have been available to U.S. and U.K. intelligence agencies for nearly 5 five years. Begging the question, how advanced is today’s surveillance, five years later? A slide in a GHCQ documented stated the agencies goals was to be able to “Exploit any phone, anywhere, any time.”

In a 2011 presentation at the CIA’s Jamboree, researchers revealed their efforts to attack one of the key privacy elements in Apple’s mobile devices. There are two keys, that when paired together, encrypt the data stored on iPhones, iPads and iPods. One consists of the User ID, which is a unique to each individual phone and is not retained by Apple. The User ID key is vital to protecting an individuals data, and is difficult to steal in the latest iPhone handsets. The second key necessary for device encryption is the Group ID (GID), which is known by Apple and used across any number of Apple devices using the same processor. The GID is used to encrypt essential system software that runs on Apple’s mobile devices. Both keys protect a different set of data but are vital for overall encryption of the phone.

In the conference, researchers outlined they were interested in targeting the GID key, which Apple keeps the same on a massive number of devices. An example, Apple’s A4 processor was used in a number of devices, including the iPhone 4, iPod touch and the original iPad. Meaning all the devices used the same Group ID. Meaning, if intelligence agencies successfully extract the GID key, they have information useful to compromising any device using that GID. Though, new processors mean new GIDs for Apple.

At the conference, two separate presentations occurred, one on how to “non-invasively” obtain the key, which was done by studying the electromagnetic emissions, along with the power consumption of the device, that the iPhone’s processor emitted while the encryption was performed. Careful analysis could be used to successfully extract the encryption key. The second conference focused on a “method to physically extract the GID key.”

Apple has had encryption settings on their devices for years, but Apple’s latest products in 2014 began to encrypt iPhone’s and especially Mac computers by default. The company even began leaving the private key on the device, hindering the ability for the company to comply with law enforcement, as they no longer are in possession of the private key for each individual device. Something that concerns the FBI director, stating Apple and Google’s encryption policies may aid criminals and terrorist.

Obama and CIA iPhone Hacking, Freedom Hacker — Vice President Joe Biden and President Barack Obama look at an app on an iPhone in the Outer Oval Office,

As U.S. President Barack Obama criticizes China for forcing tech companies to install backdoors on the device for the sole purpose of government surveillance, the U.S. intelligence agencies are doing the exact same thing. The Intercept said China is just following America’s lead, that’s all.

Apple CEO, Tim Cook, claims the company does not work hand-in-hand with the government in any way. In an interview, Cook said “when we design a new service, we try not to collect data, so we are not reading your email, we’re not reading your iMessage, if the government laid a subpoena on us to get your iMessages, we can’t provide it, it’s encrypted and we don’t have the key.” Referring to Edward Snowden and his revelations, Cook also claimed Apple “wanted to be totally transparent because there were rumors and things being written in the press, that people had backdoors to our servers, none of that is true, zero.”

“Spies gonna spy,” said Steven Bellovin, a former chief technologist for the U.S. Federal Trade Commission, who is now an active professor at Columbia University. “I’m never surprised by what intelligence agencies do to get information. They’re going to go where the info is, and as it moves, they’ll adjust their tactics. Their attitude is basically amoral: whatever works is OK.”